diff --git a/src/documents/tests/test_admin.py b/src/documents/tests/test_admin.py index 61a579dc7..ef776269a 100644 --- a/src/documents/tests/test_admin.py +++ b/src/documents/tests/test_admin.py @@ -160,3 +160,28 @@ class TestPaperlessAdmin(DirectoriesMixin, TestCase): self.assertEqual(response.status_code, status.HTTP_200_OK) superuser.refresh_from_db() self.assertEqual(superuser.first_name, "Updated") + + def test_superuser_can_only_be_deleted_by_superuser(self): + superuser = User.objects.create_superuser(username="superuser", password="test") + user = User.objects.create( + username="test", + is_superuser=False, + is_staff=True, + ) + delete_user_perm = Permission.objects.get(codename="delete_user") + user.user_permissions.add(delete_user_perm) + + self.client.force_login(user) + response = self.client.delete(f"/api/users/{superuser.pk}/") + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual( + response.content.decode(), + "Superusers can only be deleted by other superusers", + ) + self.assertTrue(User.objects.filter(pk=superuser.pk).exists()) + + self.client.logout() + self.client.force_login(superuser) + response = self.client.delete(f"/api/users/{superuser.pk}/") + self.assertEqual(response.status_code, status.HTTP_204_NO_CONTENT) + self.assertFalse(User.objects.filter(pk=superuser.pk).exists()) diff --git a/src/paperless/views.py b/src/paperless/views.py index 2a2ee9518..1464a0e98 100644 --- a/src/paperless/views.py +++ b/src/paperless/views.py @@ -180,6 +180,16 @@ class UserViewSet(ModelViewSet): ) return super().update(request, *args, **kwargs) + def destroy(self, request, *args, **kwargs): + user_to_delete: User = self.get_object() + + if not request.user.is_superuser and user_to_delete.is_superuser: + return HttpResponseForbidden( + "Superusers can only be deleted by other superusers", + ) + + return super().destroy(request, *args, **kwargs) + @extend_schema( request=None, responses={